Why does ZWS appear to run as 'root' under HP-UX?

On HP-UX, userspace utilities such as top or ps report that ZWS is running as root even though it has been configured to run as different user.

# ps -ef | grep zeus.web
root 16423 16284 1 21:34:08 pts/ta 0:00 grep zeus.web
root 17613 17609 0 22:15:51 ? 0:00 /space/cbuckley/zeus/web/bin/zeus.web
root 17609 1 18 22:15:51 ? 0:00 /space/cbuckley/zeus/web/bin/zeus.web
root 17612 17609 0 22:15:51 ? 0:00 /space/cbuckley/zeus/web/bin/zeus.web

It would appear from this output that ZWS is running as root. Clearly, this has significant security implications. However, the child processes (17612 & 17613) are actually running as a user with a UID of 1596, rather than one of 0 which we would equate with root

HP-UX is, correctly, reporting the real GID/UID zeus.web is running as. However, we rely on downgrading ZWS' child process(es) upon start-up to those of an effective permission referred to above, HP-UX's ps utility is outputting the real permissions, which unfortunately serves to confuse the security conscious systems administrator.

The important question is we need to ask is, 'How can I prove that my child process'(remember, the parent zeus.web process will always run as root) are running as the GID/UID specified in $ZEUSHOME/web/global.cfg?"

Let's turn to C to help us...

Here's the source code[1]:

#include <sys/types.h>
#include <sys/param.h>
#include <sys/pstat.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char **argv)
{
struct pst_status pst;
pid_t pid=0;
int count=0;
/* Assume pid to check is passed in as first arg...*/
pid=(pid_t) atoi(argv[1]);
/* Get information about a particular pid-- this is a bit
** strange, but you can set the third parameter (elemcount)
** to 0 and set the last parameter (index) to the pid you
** want information about and it will fill in info for that
** process only. This same call, with different parms can
** get you the info for all executing processes on the system.
*/
count = pstat_getproc(&pst, sizeof(struct pst_status), 0, pid);
switch (count)
{
case -1: perror("pstat_getproc()");
break;
case 0 : fprintf(stderr,"No such pid: %d\n",pid);
break;
default: /* Now that you have the uid values, you could use
** a call to getpwuid to get the password structure
** so that you could print out the user name here,
** but I am not going into that in this example.
*/
fprintf(stdout,"EUID = %ld RUID = %ld EGID = %ld\n",
pst.pst_euid, pst.pst_uid, pst.pst_egid);
break;
}
return(0);
}

Let's compile!

/usr/local/bin/gcc pstat.c -o pstat

Now we have a pstat binary. We can use this program to satisfy ourselves that ZWS is running with the correct permissions:

bash# ./pstat 17609
EUID = 0 RUID = 0 EGID = 0

This is the parent process running as root

bash# ./pstat 17612
EUID = 1177 RUID = 0 EGID = 1596
bash# ./pstat 17613
EUID = 1177 RUID = 0 EGID = 1596

These are the zeus.web child processes running with an EGID of 1596.

[1]: Original Author L. Spells 17/3/98.

Content Manager [Administrator] 05 June 2006 Bookmark with del.icio.us Post this article to Digg Post this article to reddit Post this article to Facebook Tweet this article  

Comments are closed for this post.

Recently...

Other Resources